Re: Global PKI on DNS?

To: David Conrad <david.conrad at nominum.com>
Subject: Re: Global PKI on DNS?
From: Eric Rescorla <ekr at rtfm.com>
Date: 12 Jun 2002 10:15:09 -0700
Cc: "RL 'Bob' Morgan" <rlmorgan at WASHINGTON.EDU>, <openssl-users at openssl.org>, ietf <ietf at ietf.org>, <isdf at isoc.org>, Key Distribution <keydist at CAFAX.SE>
In-reply-to: David Conrad's message of "Wed, 12 Jun 2002 10:03:36 -0700"
References: <B92CCCF8.C9EE%david.conrad@nominum.com>
Reply-to: EKR <ekr at rtfm.com>
Sender: owner-ietf at ietf.org

David Conrad <david.conrad at nominum.com> writes:

> On 6/12/02 8:20 AM, "Eric Rescorla" <ekr at rtfm.com> wrote:
> >> But I can do
> >> this only if I can discover certs that *aren't* either in the set it hands
> >> me or in my local set, and TLS says nothing about how to do this.
> > Yes, because it's an edge case.
> 
> Scalability as an edge case.  Hmm.
Well, I see that you're as confused about what I said as Bob was.

If you have a singly-rooted cert hierarchy, then you always can
provide an explicit path to a known root. This scales extremely
well. 

> > I think it's a little early to start
> > worrying about cross-certification.
> 
> I think it is more than a bit late.

I guess we'll just have to differ here.

-Ekr


-- 
[Eric Rescorla                                   ekr at rtfm.com]
                http://www.rtfm.com/

References:
- Re: Global PKI on DNS?
  - From: David Conrad

Prev by Date: Re: Modems
Next by Date: Re: Global PKI on DNS?
Previous by thread: Re: Global PKI on DNS?
Next by thread: Re: Global PKI on DNS?
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Global PKI on DNS?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.